AES-256 Symmetric Key Encryption

Hi Everyone, 

This blog is the first step in our bringing AES256 encryption to PFILE. Kevin will fill you in on the details. A future IT focused blog will explain this offer to our customers.

 

Hello! My name is Kevin Dawkins. I am a developer on the RMS team. For some time now, partners and customers have been requesting that we move to AES-256 symmetric key based encryption. Starting with our next release, expected in March, we will be making AES-256 symmetric key based encryption the standard way to protect files!

Overview for IT Pros 

To ensure compatibility and the ability to consume files protected against AES256, please make sure you have updated your apps recently. The consumption functionality was added to our October 2014 released SDK, so any apps built after that date will be able to consume AES 256 protected files. If your customers are running apps built with our SDK before October 2014, this update will break their application. They will not be able to consume p-files (which includes PPDF, PTXT, and all .pfile). We have let our partners know.  

When you are ready to start protecting files with AES-256 bit encryption in your organization, please ensure that you deploy our new RMS sharing app from the upcoming release. Similarly, other ISV applications on Windows that use RMS SDK 2.1 also need to be updated to leverage the new encryption standard.

However, for all mobile RMS enabled applications using Azure RMS, production support will happen automatically when we update the Azure RMS service in the next release. As of now, mobile devices are all able to consume AES 256 protected content.

Once again, if your users haven’t updated their application to at least the version shipped in October 2014, then they will not be able to open AES-256 bit protected files created by the new applications in the coming milestones.

Office, however, is still using AES-128 bit encryption. We are working with them for updating the Office infrastructure, but we have no timeline to report yet.

 

Developer Details 

With this release, no additional code is required to use AES 256 based encryption assuming you build against the updated SDK. You should seriously consider updating your app with the new SDK for the additional security benefits of AES-256.

This change has prompted a redesign of how we manage and expose encryption options to programmers using our API. Starting with this release, we will expose the following three encryption packages:

  • IPC_ENCRYPTION_PACKAGE_AES256_CBC4K (** Which is also the new default **)
  • IPC_ENCRYPTION_PACKAGE _AES128_CBC4K
  • IPC_ENCRYPTION_PACKAGE _AES128_ECB (Deprecated Algorithms*)

 

The encryption packages can be used in conjunction with our new License Property flag IPC_LI_PREFERRED_ENCRYPTION_PACKAGE.

One important point to note is that we will no longer be exposing the IPC_LI_DEPRECATED_ENCRYPTION_ALGORITHMS flag in our API. This means that future apps will no longer compile if they reference this flag, but apps already built will continue to work since we will honor the flag privately in the API code. Getting the benefit of the old deprecated encryption algorithms flag can still be achieved simply by changing two flags. See the sample code below.

Here is some sample code that demonstrates how to use the new license property.

 

Protect Files with AES 256 CBC4K:

hr = IpcCreateLicenseFromTemplateID(pcTil->aTi[0].wszID, 0, NULL, &pLicenseHandle);

// No change in code here, AES 256 CBC4K is default.

 

Protect Files with AES-128 CBC4K:

hr = IpcCreateLicenseFromTemplateID(pcTil->aTi[0].wszID, 0, NULL, &pLicenseHandle);

DWORD dwEncryptionMode = IPC_ENCRYPTION_PACKAGE_AES128_CBC4K;

hr = IpcSetLicenseProperty(pLicenseHandle, false, IPC_LI_PREFERRED_ENCRYPTION_PACKAGE, &dwEncryptionMode);

 

Protect Files with AES-128 ECB:

This sample also shows the new way of using “Deprecated Algorithms.”

hr = IpcCreateLicenseFromTemplateID(pcTil->aTi[0].wszID, 0, NULL, &pLicenseHandle);

DWORD dwEncryptionMode = IPC_ENCRYPTION_PACKAGE_AES128_ECB;

// The deprecated algorithm package

 

hr = IpcSetLicenseProperty(pLicenseHandle, false, IPC_LI_PREFERRED_ENCRYPTION_PACKAGE, &dwEncryptionMode);

 

Support for consumption of AES 256 protected files has existed since the October 2014 release. If anyone is running applications built with a version of the SDK from before October
2014
, this update will break their application. Please make sure that customers of the application you are building, are either using an updated SDK, or are willing to immediately update to the most recent version of your application.